ISACA Barcelona Chapter Congress - July 2011

  • 363 views
Uploaded on

Non-IT presentation that delivers a message on the need of understanding the human factor, immortality through technology, the moment of NOW, building bridges, singularity,... …

Non-IT presentation that delivers a message on the need of understanding the human factor, immortality through technology, the moment of NOW, building bridges, singularity,...
The first 46 slides are NOT relevant since the 'real' presentation starts in slide 47... This is one presentation to attend and cannot be followed just by seeing the slides...

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Talking Points:\nExplosive growth of mobile devices – mobile devices are getting more sophisticated and becoming desktop and laptop replacements\n38 U.S. states and a growing number of countries have laws in place to protect confidentiality of sensitive information. Specific industries (e.g. retail with PCI, financial services with GLBA) have also developed their own privacy guidelines and regulations. This trend is growing – not shrinking.\nRunning afoul of these regulations leads to public embarrassment, cost of disclosure, and recovery costs. Gartner estimates that companies can expect to spend between $200 and $1000 per record lost to recover from a data breach.\nAll of these drivers have made data protection the #1 priority of CISO’s, according to a Merrill Lynch CISO survey.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • 3-layer architecture\n
  • Regarding IC, each organization needs to decide how important each attribute is for their business and this profile expresses the enterprise’s position and appetite for risk\n
  • \n
  • Business Service Optimization is about helping companies achieve IT governance and business and IT alignment. Business Service Optimization helps IT translate business demand into IT services and cost-effectively deliver those services to the business. \n\nAnd here’s how you can realize this vision:\n First off, there needs to be a single mechanism and process for capturing business demands. \n Second, IT has to be empowered to respond to those demands by delivering a service to the business. The service definition should include the performance (or service levels) that will be delivered and the costs associated with the service. By providing this kind of insight, IT can enable the business to make prioritization and trade-off decisions. \n Finally, the people, projects, and IT assets that support service delivery need to be optimized. \n\nConsider the following example. Suppose the business is a retailer with an online sales channel. The business has had a successful online store for some time, but they have found that their customer service department is spending a lot of time fielding calls from customers checking their order status and expected arrival dates. In order to reduce the number of calls being made to their customer support desk (and thereby reduce the cost of sale), the company would like to provide customers with an interface they can access to investigate the status of goods ordered. \n\nTo meet this demand, the IT department would need to create a new online application that integrates with the company’s order processing and inventory systems, and can retrieve information from the company’s distribution partners in order to provide the customer with up-to-the-minute insight into where the ordered goods currently are. Ideally, the IT department would let the business know the performance and costs that can be delivered—for instance, that the current architecture would be able to support 500 customers a minute with a response time of 5 seconds or less. If the business needs to support more customers per minute or provide better response times, the IT department should be able to provide insight into what the additional costs would be of server upgrades to attain the desired level of performance. \n
  • \n
  • \n
  • Align IT with your business – from requirements to service levels\nIntegrate application development and application management cycles\n\nCA’s Vision is about Life Cycle Management (LCM)\n\nWhat do we mean with LCM?\nTAM is about aligning application development to better serve the business by delivering an infrastructure to support the design, development, testing, management and service of business critical applications.\n\n\nCA’s vision for LCM is about\nBetter service to the business by alignment of IT Dev. and IT operations\nFaster delivery of higher quality applications\n\n\n\nSimpler environments and rapid deployment of new capabilities\nReduced:\nLabor and skill specialization\nCosts\nComplexity\nCustomization of vendor software\n\nCA’s solutions are integrated to derive immediate value. Examples of such integrations include:\nAllFusion Change Management Suite — Unicenter ServicePlus Service Desk \nAllFusion ERwin Data Modeler — Advantage Gen\nAdvantage Gen — AllFusion Change Management Suite\n
  • Protecting your data effectively requires different thinking. Data is easy to lose, easy to transfer, and very enticing to steal. Your security infrastructure must enable your data to protect itself regardless of how it is used, where it is located, what devices access it, and how users access it.\n
  • \n
  • \n
  • \n
  • <<Click>> - Service Management – Service Support can be used as a central clearing house for all IT project requests. At this stage, requests for new projects can be quickly assessed and routed through to the project portfolio management system with all key decision makers and stakeholders identified.\n\n<<Click>> - During the assessment and prioritization phase, IT asset management solutions can be used to identify the technology resources required to support the project. Here such solutions as Unicenter Asset Intelligence can be used to provide management with the analysis needed to facilitate the most cost effective asset investment decisions, and highlight areas that could compromise project success.\n\n<<Click>> - Having identified asset requirements, software change management procedures can then be linked to an approved project. An important benefit here, is that change management becomes much more efficient since activities, tasks and resources are initiated in accordance with projects prioritized by business and IT (another illustration on alignment).\n\n<<Click>> <<Click>>- taking the process one step further IT Financial Management can be used to meter and measure the performance of the business-services, with Service Delivery solutions assisting with service deployment, activation and ongoing assessment of service quality against agreed service levels “contracted” between IT and the Business.\n
  • \n
  • \n
  • \n
  • CA SSO is a proven solution with all the necessary capabilities. Many of these features have already been described, but the ones that haven’t are:\nOffline Operation - Users can access applications through CA SSO even when they are working remotely or offline. This enables workers to benefit from automated sign-on and improved security even when working with common offline applications such as Lotus Notes applications.\nSecure Encryption – CA SSO encrypts login data in the data store and during all communications.\nSingle Sign-Off - When a user logs off CA SSO or their session is automatically terminated, a user’s open applications can be gracefully closed down according to predefined parameters. This helps prevent incomplete data or actions from being improperly saved or discarded.\nSession Management – CA SSO allows administrators to define session parameters such as the maximum number of sessions that a user can have active at the same time. This minimizes the risk of inappropriate access to sensitive applications when users forget to logoff in shared workstation environments.\nStation Lock – Administrators can set inactivity timing for automated logoff if a session has been idle for a certain period of time.\nSession Migration - A user session can be restored later on the same or different workstation with all applications being restored where they were. This is enabled through out-of-the-box integration with Citrix MetaFrame.\nOne-Time Passwords - Application passwords for UNIX applications can be changed after each use to mitigate the risk of net work sniffing insecure protocols such as telnet. This is transparent to the user.\nFailover – CA SSO can be configured to survive in the case of most disasters. It provides a hot backup service that is dynamic and automatic.\nServer Watchdog – the CA SSO Server Watchdog constantly monitors the status of the Policy Server and can report this status to external devices and network monitoring software.\nSensitive Applications - Organizations can identify applications that are sensitive from a security or other perspective, and require the user to re-authenticate before running such applications.\n
  • \n
  • \n
  • \n
  • We built upon other disciplines like network management, asset management (CMDB) and storage management (backup & contigency plan) so as to provide a unique repository of information and began escalating in what we called “The road to management”\n“You need to know what you have to be able to protect it”\n
  • \n
  • \n
  • \n
  • \n
  • 3-layer architecture\n
  • \n
  • So why is all of this happening? Why, given all the money spent on security, do these problems continue? \nThe answer is surprisingly simple. They exist due to “perimeter-centric” approaches to information security.\nThe majority of today’s security solutions are perimeter-centric in the sense that they secure \nPerimeters (firewalls, VPNs, etc.) \nand resources (laptops, servers).\nWhile these solutions are necessary components of a comprehensive security strategy, they protect proxies to information, rather than the information itself.\nA Perimeter-centric approaches ignores the fact that information lives and moves throughout its lifecycle. \nWhen data leaves the protected assets, or perimeters, it is no longer secured.\nWhat has been done to date is necessary, but insufficient. \nWhat we need is a new approach that also secures the information itself, complementing the perimeter-centric approach \nProvides layered protection that defends in depth\nKeeps security decisions in the hands of security experts\nEnables your data and infrastructure to protect itself against security threats\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. Bienvenidos Benvinguts Ramsés GallegoCISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt Chief Strategy Officer Entelgy rgallego@entelgy.com
  • 2. Procesos y Procedimientos 14 procesos36 procedimientos
  • 3. El factor humanoConsideraciones sobre planificación de plantilla • Teniendo en cuenta habilidades de comunicación, capacidades técnicas, sociales • Maximizando su experiencia y voluntad de ejecución
  • 4. Tamaño mercado CAGR = 10.4% Mercado objetivo 50,000 14%  Gestión de infraestructuras – Gestión de redes y sistemas 37,500 12%  Gestión de almacenamiento  Gestión de Seguridad 25,000 10%  Gestión de datos y aplicaciones  Gestión de desarrollo 12,500 8% 0 6%Tamaño del mercado –
Crece 2003 2004 2005 2006 2007 Tamaño mercadoexponencialmente Crecimiento
  • 5. Crecimiento de Regulaciones de Coste corporativo y dedispositivos móviles privacidad imagen pública USB Unidades Memory vendidas Sticks iPhone/ BlackBerry Palm/Treo PocketPC + Laptops Desktops1995 2000 2005 2010 La protección de datos es la prioridad número 1 para los CISO
  • 6. Procesos y Procedimientos Servicio de Alerta Temprana El SOC Local Asignado a la orden de trabajo desarrollará el trabajo siguiendo lasT3 Se ejecuta el PT002 directrices recogidas en PT002 – Procedimiento de Realización de Hacking Ético bajo demanda
  • 7. Descubrimiento Inventario VisiónEntrada manual APIs Aplicaciones Acceso SQL Abierto HP-OV Relacional Conecto Tivoli Activos Other
  • 8. Estructura de costes
  • 9. Un proceso continuo
  • 10. Antes Después Descubrimiento Inventario Activos en servicio Activos Descubiertos Ac$vos Activos Activos licenciados Monitorizados Gestión de red Seguridad
  • 11. GOBIERNO TI Demanda Pro ces os Ciclo de vida Personas y Servicios Proyectos Negocio IT Portfolio IT cas Prá enas cti Bu Servicios Activos ¿Alineación TI?Proporcionar el mejor valor con los Facilitar a TI que cumpla su Mejorar la eficiencia de TI a través derecursos disponibles promesa con el negocio procesos y Buenas Prácticas
  • 12. Procesos y ProcedimientosServicio de Alerta Temprana Se analiza la petición mediante el procedimiento PG002 – se asigna T2 a un SOC Local y se informa al cliente Una vez recibida la solicitud y evaluado la completitud de la misma se ha de llevar a cabo el PG001 – Procedimiento de asignación de servicio de Hacking Ético
  • 13. Ges$ón
del Planificar ServicioRendimiento
y Salud Gestión del Modelar cambio Gestión de MetadatosEntregar Codificar
y
automarizar la
aplicación Aprovisionar Pruebas
  • 14. Fácil de perder Fácil de copiar Útil si es robada 490 € 147 € ® 147 € 98 € Bluetooth Valor en el ‘mercado negro’ La
información
debe
ser
protegida
independientemente
de: Uso Localización Disposi$vo Acceso
  • 15. Gobernando en Cloud Operando en Cloud !"#$%&"()(!%*+,(-%.( /$%*0"(1"&2"&3+4"( !"#$%&()*)+",-./) ")0()12/-/$&() 34"%(5&2/",)"0)6(7() >&%7$(0&?(5&./) >"&:3#$.$-3-(%( 5%03.$-3-()( 1"/7"%)$:%&"2%&3#$.$-3-(( 6%*78#&$9$%:"(6$0$:3.( 8",4$",7()() +",-./)")0() 9/5&"/7",:) &"/-()*)(55",2) /2-;5(5&./)*) 1&<%(2)*)#",-./)") !"#$%&()") !%*+,(-%.(7$7."(-%(4$-3( 1";"&9$-3-(5%03.()( 50(=",) (40&5(5&2/",) -%(.3($;"&937$,( <8-$:"&=3( ?<6@/AB( <6C>1DCE( @A6B8CD) A63E193F) Organización Tecnología/Infraestructura !"#$%&(&$")*+* !"#$%&$( ,-".(%)* 4567.*+*8)* *+,-+#( !#%)"$%$( /)(012.*3.&".&* %+.6+)+*9*)((52* ./01234( /05!*657( :!;<,=>* !;?@A3?B*
  • 16. Mainframe Unix Bases datos Windows MS Exchange % funcional Inte rfaz web 100 Usuario Directorio A LDAP Au utos Interfaz web IdM tos erv erv ici Entel IdM ici o d Entrad a auto od ep mática e p as eti swo cio rd ne s AdministraciónRecursos delegada InternetHumanos Sistema RRHH
  • 17. Modelo
orientado
a
negocio
concebido
por
la
Universidad
del
California
del
Sur
Marshall
School
of
Business
para
aproximarse
a
los
complejos
retos
de
la
protección.Desarrollado
por
ISACA
para
proporcionar
un
acercamiento
prác$co
a
la
ges$ón
de
la
seguridad
de
la
información
entendible
y
usable
por
el
negocio
y
personal
de
seguridad.
  • 18. Gestión del Servicio - Gestión de la entrega Aprovisionamiento y aseguramiento de la calidadGestión del Servicio - Gestión del Soporte Gestión de proyectos y portfolio Priorizar proyectos TI en función de su valor para el negocio Control centralizado de las peticiones Gestión de activos TI Gestión financiera de TI Asesorar acerca de activos Activar la medición del servicio Gestión del cambio en software Inciar las tareas y actividades de gestión del cambio
  • 19. Procesos y ProcedimientosEjemplo real de proceso gestión de un firewall propiedadde un cliente
  • 20. Cobertura total del entorno Asistente de aplicacionesAdministración centralizada Autenticación flexible Operativa offline Integración con IAM Single Sign-Off Encriptación Gestión de sesiones Gestión de contraseñas Migración de sesiones Bloqueo de estación Failover One-Time PasswordsMonitorización estado SSO Aplicaciones sensibles
  • 21. Gestión del DataCenter Silos de Zonas de SODC SaaS, IaaS y PaaS aplicaciones virtualización (Internal Cloud) (External Cloud) AppsServidores RedAlmacenamiento De silos………………………… …….………..…a Data Centers dinámicos Auto‐ Centralizar Estandarizar Consolidar Virtualizar Automa$zar servicio
  • 22. Escalación de alarmas, Invocación de la ACCIÓN Gestión de consola de gestión, Modelo de respuestaGestión Respuestas/Alertas ● correo ● Busca ● móvil ● Presentación de eventos/Informe Mostrar el evento, Análisis de tendencias, Informes de Seguridad, Informes de CONOCIMIENTO rendimiento, Salud de la Seguridad del sistema, Descubrimiento de patrones/Priorización asignar propiedad Correlación de eventos Priorización de evntos, Asociación de eventos, Modelado de Seguridad Agregación de eventosMonitorización Normalización y Reducción de los datos, Comparación de INFORMACIÓN reducción de datos eventos, De-duplicación de eventos Filtrado de datos Monitorización de eventos, Integración de DATOS Repositorio de datos terceras partes, Soporte de protocolos Captura de datos ● Syslog ● SNMP ● API ●
  • 23. Ejemplos de escenario de riesgo
  • 24. FÍSICOS VIRTUALIZADOS POOLED R R P P 1 2 HW HW HW HW HW HW HW HW HW HW HW HW HW HW HW HW HW HW
  • 25. Antivirus Gestión del cambio/ Autenticación Gestión de parches Detección VPN Amenazas Antivirus LANClientes Filtrado Antispyware URLs Servidores Firewall
  • 26.  Gestión necesaria en cadaSistema
de
ges$ón nivel  Gestión orientada a objetivos  Acceso seguro  Gestión del riesgo  Recuperación frente a desastres  Cargabilidad del uso de los recursos ‘grid’
  • 27. Quién Qué Dónde CómoRecursos
Humanos Código
Fuente Servidor
de
beneficios FTPAtención
al
Cliente Planes
de
negocio Web
con
Spyware HTTPMarke$ng Registros
de
cliente Alianza
estratégica IMAdministración Planes
de
adquisición Blog P2PFinanzas Información
de
pacientes Cliente SMTPVentas Estados
financieros Cuadro
del
Consejo Impresora
de
redDepartamento
Legal Información
empleados Corea
del
NorteSoporte
Técnico Documentos
técnicos CompetenciaIngeniería Información
competencia Analista
  • 28. 55% Hardware 25% 25% Equipos de red y Desarrollo 40% telecomunicaciones Aplicaciones Gastos Capital 10% Software 10% Mantenimiento Aplicaciones 10%Costes TI Lugar físico 60% Costes Infraestructura 55% Personal 5% 20% Administración Consumo tráfico 60% Gastos Operación 10% Mantenimiento 10% Otros
  • 29. Factor humano Colaboración Sincronicidad InmortalidadGen X - GenYSostenibilidad Optimismo Resilience Re-evolución
  • 30. Sólo para tus ojos
  • 31. Ramsés GallegoCISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt Chief Strategy Officer Entelgy +34 678 444 783 rgallego@entelgy.com
  • 32. El futuro va a cambiar
  • 33. GRACIASGRÀCIES